AD Synchronisation fails

Hi,

We are having issues with syncing are AD server.

It seems like the some entries have the special char "\0A" in cn (new line i guess) which causes the following exception, part1cn(before new line) part2cn(after new line).

I understand that this entry is bad but I expect Stash/Crowed to ignore this entry and continue the sync.

Does this exception causes the sync to halt?

if it does is it possible to ignore this entry and continue the sync

if it doesn't, maybe "Synchronisation failed" should be rephrased to "Synchronisation completed with errors" ?

Looking forward for your reply

Thanks in advance

 

2014-12-22 15:40:47,007 ERROR [clusterScheduler_Worker-2] c.a.c.d.DbCachingDirectoryPoller Error occurred while refreshing the cache for directory [ 1572865 ].
org.springframework.ldap.InvalidNameException: cn=part1cn
part2cn,ou=groups,ou=someou,ou=cci,dc=corp,dc=bla,dc=com: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001BA, problem 2006 (BAD_NAME), data 8349, best match of:
'cn=part1cn
part2cn,ou=groups,ou=someou,ou=cci,dc=corp,dc=bla,dc=com'
^@]; nested exception is javax.naming.InvalidNameException: cn=part1cn
part2cn,ou=groups,ou=someou,ou=cci,dc=corp,dc=bla,dc=com: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001BA, problem 2006 (BAD_NAME), data 8349, best match of:
'cn=part1cn
part2cn,ou=groups,ou=someou,ou=cci,dc=corp,dc=bla,dc=com'
^@]; remaining name 'cn=part1cn
part2cn,ou=groups,ou=someou,ou=cci,dc=corp,dc=bla,dc=com'
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:136) ~[LdapUtils.class:2.0.2.RELEASE]
at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:820) ~[LdapTemplate.class:2.0.2.RELEASE]
at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:803) ~[LdapTemplate.class:2.0.2.RELEASE]
at org.springframework.ldap.core.LdapTemplate.lookup(LdapTemplate.java:935) ~[LdapTemplate.class:2.0.2.RELEASE]
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$9.timedCall(SpringLdapTemplateWrapper.java:286) ~[SpringLdapTemplateWrapper$9.class:na]
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$TimedCallable.call(SpringLdapTemplateWrapper.java:124) ~[SpringLdapTemplateWrapper$TimedCallable.class:na]
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.invokeWithContextClassLoader(SpringLdapTemplateWrapper.java:87) ~[SpringLdapTemplateWrapper.class:na]
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.lookup(SpringLdapTemplateWrapper.java:282) ~[SpringLdapTemplateWrapper.class:na]
at com.atlassian.crowd.directory.RFC4519Directory.findDirectMembersOfGroup(RFC4519Directory.java:959) ~[RFC4519Directory.class:na]
at com.atlassian.crowd.directory.MicrosoftActiveDirectory.findDirectMembersOfGroup(MicrosoftActiveDirectory.java:516) ~[MicrosoftActiveDirectory.class:na]
at com.atlassian.crowd.directory.RFC4519DirectoryMembershipsIterable$2.apply(RFC4519DirectoryMembershipsIterable.java:78) ~[RFC4519DirectoryMembershipsIterable$2.class:na]
at com.atlassian.crowd.directory.RFC4519DirectoryMembershipsIterable$2.apply(RFC4519DirectoryMembershipsIterable.java:70) ~[RFC4519DirectoryMembershipsIterable$2.class:na]
at com.google.common.collect.Iterators$8.next(Iterators.java:812) ~[Iterators$8.class:na]
at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseMemberships(AbstractCacheRefresher.java:196) ~[AbstractCacheRefresher.class:na]
at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseAll(AbstractCacheRefresher.java:98) ~[AbstractCacheRefresher.class:na]
at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher.synchroniseAll(UsnChangedCacheRefresher.java:161) ~[UsnChangedCacheRefresher.class:na]
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.synchroniseCache(DbCachingRemoteDirectory.java:1122) ~[DbCachingRemoteDirectory.class:na]
at com.atlassian.crowd.manager.directory.DirectorySynchroniserImpl.synchronise(DirectorySynchroniserImpl.java:76) ~[DirectorySynchroniserImpl.class:na]
at com.atlassian.crowd.directory.DbCachingDirectoryPoller.pollChanges(DbCachingDirectoryPoller.java:50) ~[DbCachingDirectoryPoller.class:na]
at com.atlassian.crowd.manager.directory.monitor.poller.DirectoryPollerJobRunner.runJob(DirectoryPollerJobRunner.java:93) [DirectoryPollerJobRunner.class:na]
at com.atlassian.scheduler.core.JobLauncher.runJob(JobLauncher.java:135) [JobLauncher.class:na]
at com.atlassian.scheduler.core.JobLauncher.launchAndBuildResponse(JobLauncher.java:101) [JobLauncher.class:na]
at com.atlassian.scheduler.core.JobLauncher.launch(JobLauncher.java:80) [JobLauncher.class:na]
at com.atlassian.scheduler.quartz2.Quartz2Job.execute(Quartz2Job.java:32) [Quartz2Job.class:na]
at org.quartz.core.JobRunShell.run(JobRunShell.java:202) [JobRunShell.class:na]
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) [SimpleThreadPool$WorkerThread.class:na]
... 12 frames trimmed
Caused by: javax.naming.InvalidNameException: cn=part1cn

4 answers

Looks like this is how Active directory is handling duplicate entries http://social.technet.microsoft.com/wiki/contents/articles/15435.active-directory-duplicate-object-name-resolution.aspx#When_a_Duplicate_RDN_in_an_OU_or_Container_is_Detected

I find it weird that SonarQube, Subversion Edge and Jenkins can handle this bad entries perfectly fine and Atlassian products have trouble with it.

0 vote
Boris Berenberg Community Champion Dec 22, 2014

The sync will fail and should not be trusted. I would exclude the affected objects explicitly via the LDAP filters.

Thanks for the quick reply Boris. The affected objects are all around the LDAP(different OUs) I tried using How to Write LDAP Search Filters but it didn't work for me maybe due to the newline in the middle of the cn or I didn't write it well.

0 vote

Hi Idam, 

The error code 34 means a bad DN as you can see on this link.

Looking into your error message, it looks like your LDAP URL is wrong:

NameErr: DSID-031001BA, problem 2006 (BAD_NAME), data 8349, best match of:
'cn=part1cn
part2cn,ou=groups,ou=someou,ou=cci,dc=corp,dc=bla,dc=com'

 

I could see your LDAP path should be:

'cn=part1,cn=part2,ou=groups,ou=someou,ou=cci,dc=corp,dc=bla,dc=com'

and not

'cn=part1cnpart2cn,ou=groups,ou=someou,ou=cci,dc=corp,dc=bla,dc=com'

 

If it isn't the problem, could you confirm your correct LDAP base?

 

Regards, 

Renato Rudnicki

Thank you for the reply Renato. The LDAP configuration is working perfectly and in 3 other Java web applications, the other web apps just ignoring the bad names (this case is due to the new line char "\0A")

There is already an improvement ticket.

 

https://jira.atlassian.com/browse/CWD-4174

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Posted Jun 12, 2018 in Bitbucket

Do you use any Atlassian products for your personal projects?

After spinning my wheels trying to get organized enough to write a book for National Novel Writing Month (NaNoWriMo) I took my affinity for Atlassian products from my work life and decided to tr...

25,387 views 26 12
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you